Ransomware and DDoS attacks are costly to organisations that fall victim in terms of reputational damage, picking up the pieces as well as potential enforcement from the ICO and compensation claims by data subjects.
What are ransomware and DDoS attacks?
Ransomware attacks are when a type of malware attempts to unlawfully encrypt files on a host computer system rendering them inaccessible and unusable (ICO). Victims of ransomware attacks are asked to pay, often in cryptocurrency, to have the data returned and/or decrypted.
DDoS (Distributed Denial of Service) attacks are malicious attempts to overwhelm a targeted server, service or network to disrupt normal traffic and render it inaccessible (Cloudflare). Nowadays, DDoS attacks are often amplified by hijacked IoT equipment and other connected devices.
What are the legal consequences?
Both type of attacks target one or more of the columns in the Confidentiality-Integrity-Availability information security triad, including blocking or inhibiting access to personal data, which can result in breaches of the EU GDPR or UK GDPR. Additionally, attackers can threaten to publish the personal data online if the victim fails to pay.
Under the GDPR, organisations must uphold principles, such as integrity and confidentiality, when processing data and ensure the rights of data subjects, including the right of access. By falling victim to a ransomware attack, organisation could be at risk of an “availability”, “integrity” and/or “confidentiality” breach. DDoS attacks could also lead to an “availability” breach.
Why does this matter?
Last year’s NCSC Annual Review viewed ransomware attacks as the most significant cyber threat. While organisations are well aware of the practical and reputational consequences of a cyberattack, including reputational damage and the costs to rectify information security weaknesses, more emphasis and awareness is needed on the potential legal consequences.
The ICO recently published new guidance on how to deal with ransomware attacks including stipulating what constitutes a personal data breach and additional preventative measures organisations should take. The ICO has highlighted that failure to follow available guidance has influenced their determination of whether organisations acted reasonably in meeting their obligations as data controller, and as a result, the penalty amount.
The guidance was published in light of the ICO’s first ransomware attack-related fine of £98,000 issued to Tuckers LLP. Tuckers was found to be in breach of Article 5(1)(f) GDPR, the data processing principles of integrity and confidentiality, after failing to take adequate security measures recommended by government-backed bodies and which would have been reasonable to expect the law firm to have implemented at the time of the cyberattack, .
Additionally, an organisation may be exposed to compensation claims by data subjects for material damage or infringing their right of access. As we have seen with the rise of cookie claims by individuals, despite a low level of enforcement by the ICO, individuals are not afraid to try to claim back costs for loss of control, material damage and/or distress.
What can you do about it?
Preparation is key to preventing or at least mitigating the fallout of a ransomware or DDoS attack, and therefore an availability, integrity and/or confidentiality breach. The NCSC has a free online tool for planning a cyber incident management exercise and the ICO provides a 10-part checklist and several scenarios to help organisations tackle data breaches.
In summary, organisations need to tick off:
- Policies
- Identification
- Technical controls
- Access controls
- Vulnerability management
- Training and awareness
- Detection
- Incident
- Disaster recovery
- Assurance
More information can be found at the ICO’s website and NSCS website. In addition, you can listen to SPB partner, Malcolm Dowden, discussing how to protect your digital assets in light of the much speculated cyber threats from Russia and practical considerations and mitigation steps for businesses to consider and implement on the latest episode of ‘Now and Next’ podcast series.
Our global Data Privacy, Cybersecurity and Digital Assets team is perfectly placed to assist organisations in navigating through this area. For assistance, please reach out to the authors.